Link List

Sponsored by..

Wednesday, 12 August 2009

CA eTrust goes nuts with StdWin32 and other false positives

CA eTrust ITM has gone completely nuts today, with a load of seemingly random false positives mostly for StdWin32 in a large number of binaries, including some components of eTrust itself.

The core problem seems to be a signature update from 31.6.6672 to 33.3.7051, there seems to be little consistency in what is being detected as a false positive although there are multiple occurrences of Nokia software, VNC and event DLLs and EXEs belonging to eTrust's core components.

Probably the best thing to do is block the update or change the Realtime scanning behaviour to "disabled" or "report only".

Update: problem seems to have started at about 0525 GMT when the new signature pattern applied. There no consistent pattern to the infected files, it looks like it happens at random. Several other people seem to be having the same issue!

Update 3: Amusingly, CA eTrust seems to have deleted its own key components in many cases. I don't know if this is the first recorded case of an anti-virus application mistaking itself as malware!

Update 4: CA have released a statment as follows:

Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.

To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.

CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.

Update 5: Got a mention on El Reg.. funny thing is that I went in to work today wearing my El Reg T-Shirt. Coincidence? Consiparacy? Cockup?

PS: Please remember to read the comments if you are still having problems!

Online with CA support now. They have fixed the problem - er deleted the new sig and revert back to old one. Have your ITM server update and do the same to workstations. It is the 33.3.7051 sig thats bad

Luke - I had similar issues on my BES server. To fix disable & stop all eTrust (trust??!!) services on the ISA server. Map to the local drives on the ISA server & search for *AVB. If your realtime policy is set to cure files all cured files should be returned. Just rename the files back to their original name.

eTrust is a terrible product. Currently testing Nod32 corporate edition as a replacement.

We've pushed 6674 out and it does seem to have resolved things. I've re-enabled the on-access scanning on affected machines and they're ticking over nicely.

No email from CA, though (as was promised) and no official word of any issue on their website, still.

Anyone else think this is something other than a simple false positive? given the randomness of files affected and the fact that the virus name listed was (in 99% of our cases) an empty string, it looks like someone is going to get drawn and quartered for this.

I got 250 clients. Our eTrust setting for “Action to perform if cure fails” is not to “Quarantine file”, but to “Rename file”. Therefore I need a tool to restore all renamed files. i.e. remove the 0.AVB extension. Can “Renameavb2exe_with_date” from Restoretools.zip do the job?

Now I have tested the “Renameavb2exe_with_date” from Restoretools.zip, but it does not work. I still have all my 0.AVB files. I think I have a problem understanding what exactly the date parameter does. Does anyone know anything about that?

Date format is American - uses the date to strip the extension off dates on & after the last accessed date.Create a text file, rename it with the extension and test.You can reduce the drive letters by editing the executable.We are going to roll this out shortly - we have thousands of affected files...

Over 1000 computers in our company are infected with what we are calling the "ETrust update virus". Tons of help desk calls and countless hours of reinstalling software ahead... Only one more year under contract with CA and we'll be free. Hooray!

@Consumer: If you haven't already, try shutting down Apache Tomcat and all of the etrust services on the server. Then go to your Program Files\CA folder and search (F3) for *.AVB. Rename any files that pop up in the results menaully and then restart the services. You should be able to reach your Management console then.

@Steelgirl. Two possible options: Boot from the relevant CD and run an automatic repair. This should (hopefully) restore the missing files. If it works, run a windows update to get them current again.Failing that, boot to a repair command prompt (either via safe mode or via the boot CD) and (deep breath) manually rename the affected files. (CD to C:\windows\ and use 'dir /s *.AVB' to locate them. Hopefully there won't be too many.) Once you're booting again, you can use the repair tools mentioned earlier. Good luck...

A CA ITM engine update (engine v33) released at 1:04 AM ET on 8/12/09 has been found to detect multiple clean files as malicious in certain circumstances . If you are running CA ITM software and experiencing a false positive condition after upgrading to engine v33 please initiate an update immediately to resolve the false positive issue. An updated engine package engine v34) was created and released the same day, 8/12/07, at 7:21 AM ET.

For the files which are already renamed or quarantined, we have uploaded the rename and un-quarantine tool to below mentioned link.ftp://ftp.ca.com/outgoing/8888888/17943192-01File name: Renameavb2exe_with_date.rarFile Name: CA_Unquarantine.rarFile Name: Password.txt

Please download and run the rename tool or un-quarantine tool first to restore the files and then update the machines to version 34.0.0.6674.

Non-booting machines have had crucial OS files renamed - we are arming our engineers with the tool on a bootable USB drive to allow them to rename the files as was.Alternate you could use a PE Builder CD with network capability to run patch from CD or other network source.

If your non-booting system is a standard IDE or SATA drive, then often the easiest way to fix it is to put the HD from the victim machine into an external drive enclosure and slave it to a laptop or desktop.. I've always found that a lot easier than mucking about with bootable CDs, USB keys and recovery consoles.

CA is crap. We finally got fed up with their bull crap and ditched them over a year ago. Sounds like a lot of you are considering doing the same. We switched to Sophos (Ya I hadn't heard of them before either) but I got no problems recomending them. We tested Kaspersky, Nod32 and Trend, they were OK but not great.